WO2008070549A3 - Filtering and policing for defending against denial of service attacks a network - Google Patents

Filtering and policing for defending against denial of service attacks a network Download PDF

Info

Publication number
WO2008070549A3
WO2008070549A3 PCT/US2007/086065 US2007086065W WO2008070549A3 WO 2008070549 A3 WO2008070549 A3 WO 2008070549A3 US 2007086065 W US2007086065 W US 2007086065W WO 2008070549 A3 WO2008070549 A3 WO 2008070549A3
Authority
WO
WIPO (PCT)
Prior art keywords
data packets
filtering
criterion
transmitted
output module
Prior art date
Application number
PCT/US2007/086065
Other languages
French (fr)
Other versions
WO2008070549A2 (en
Inventor
Shaun Jaikarran Bharrat
Mark Duffy
Ronald V Grippo
Shiping Li
John A Perreault
Jian Yang
Gary Robert Mccarthy
Original Assignee
Sonus Networks Inc
Shaun Jaikarran Bharrat
Mark Duffy
Ronald V Grippo
Shiping Li
John A Perreault
Jian Yang
Gary Robert Mccarthy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/565,944 external-priority patent/US7940657B2/en
Priority claimed from US11/565,940 external-priority patent/US7672336B2/en
Priority claimed from US11/565,942 external-priority patent/US7804774B2/en
Application filed by Sonus Networks Inc, Shaun Jaikarran Bharrat, Mark Duffy, Ronald V Grippo, Shiping Li, John A Perreault, Jian Yang, Gary Robert Mccarthy filed Critical Sonus Networks Inc
Priority to JP2009539507A priority Critical patent/JP2011503912A/en
Priority to EP07864977A priority patent/EP2090061A2/en
Priority to CA002671451A priority patent/CA2671451A1/en
Publication of WO2008070549A2 publication Critical patent/WO2008070549A2/en
Publication of WO2008070549A3 publication Critical patent/WO2008070549A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Abstract

Described are computer-based methods and apparatuses, including computer program products, for filtering and policing for defending against denial of service attacks on a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.
PCT/US2007/086065 2006-12-01 2007-11-30 Filtering and policing for defending against denial of service attacks a network WO2008070549A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2009539507A JP2011503912A (en) 2006-12-01 2007-11-30 Information screening and monitoring restrictions for defense against network denial of service attacks
EP07864977A EP2090061A2 (en) 2006-12-01 2007-11-30 Filtering and policing for defending against denial of service attacks a network
CA002671451A CA2671451A1 (en) 2006-12-01 2007-11-30 Filtering and policing for defending against denial of service attacks on a network

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US11/565,944 US7940657B2 (en) 2006-12-01 2006-12-01 Identifying attackers on a network
US11/565,940 2006-12-01
US11/565,940 US7672336B2 (en) 2006-12-01 2006-12-01 Filtering and policing for defending against denial of service attacks on a network
US11/565,942 US7804774B2 (en) 2006-12-01 2006-12-01 Scalable filtering and policing mechanism for protecting user traffic in a network
US11/565,944 2006-12-01
US11/565,942 2006-12-01

Publications (2)

Publication Number Publication Date
WO2008070549A2 WO2008070549A2 (en) 2008-06-12
WO2008070549A3 true WO2008070549A3 (en) 2009-02-12

Family

ID=39493669

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/086065 WO2008070549A2 (en) 2006-12-01 2007-11-30 Filtering and policing for defending against denial of service attacks a network

Country Status (4)

Country Link
EP (1) EP2090061A2 (en)
JP (1) JP2011503912A (en)
CA (1) CA2671451A1 (en)
WO (1) WO2008070549A2 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8339959B1 (en) 2008-05-20 2012-12-25 Juniper Networks, Inc. Streamlined packet forwarding using dynamic filters for routing and security in a shared forwarding plane
US8955107B2 (en) * 2008-09-12 2015-02-10 Juniper Networks, Inc. Hierarchical application of security services within a computer network
US8040808B1 (en) 2008-10-20 2011-10-18 Juniper Networks, Inc. Service aware path selection with a network acceleration device
FR2949934B1 (en) * 2009-09-09 2011-10-28 Qosmos MONITORING A COMMUNICATION SESSION COMPRISING SEVERAL FLOWS ON A DATA NETWORK
US9251535B1 (en) 2012-01-05 2016-02-02 Juniper Networks, Inc. Offload of data transfer statistics from a mobile access gateway

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010007133A1 (en) * 1998-10-28 2001-07-05 Mark Moriconi System and method for maintaining security in a distributed computer network
EP1367798A1 (en) * 2002-05-29 2003-12-03 Alcatel Canada Inc. High-speed adaptative structure of elementary firewall modules
US20040054925A1 (en) * 2002-09-13 2004-03-18 Cyber Operations, Llc System and method for detecting and countering a network attack
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
US20050240993A1 (en) * 2004-04-22 2005-10-27 Treadwell William S Methodology, system and computer readable medium for streams-based packet filtering
WO2006037809A1 (en) * 2004-10-08 2006-04-13 International Business Machines Corporation Offline analysis of packets

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5473607A (en) * 1993-08-09 1995-12-05 Grand Junction Networks, Inc. Packet filtering for data networks
CN1312892C (en) * 1999-06-30 2007-04-25 倾向探测公司 Method and apparatus for monitoring traffic in network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010007133A1 (en) * 1998-10-28 2001-07-05 Mark Moriconi System and method for maintaining security in a distributed computer network
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
EP1367798A1 (en) * 2002-05-29 2003-12-03 Alcatel Canada Inc. High-speed adaptative structure of elementary firewall modules
US20040054925A1 (en) * 2002-09-13 2004-03-18 Cyber Operations, Llc System and method for detecting and countering a network attack
US20050240993A1 (en) * 2004-04-22 2005-10-27 Treadwell William S Methodology, system and computer readable medium for streams-based packet filtering
WO2006037809A1 (en) * 2004-10-08 2006-04-13 International Business Machines Corporation Offline analysis of packets

Also Published As

Publication number Publication date
EP2090061A2 (en) 2009-08-19
JP2011503912A (en) 2011-01-27
WO2008070549A2 (en) 2008-06-12
CA2671451A1 (en) 2008-06-12

Similar Documents

Publication Publication Date Title
CN108282497B (en) DDoS attack detection method for SDN control plane
WO2008070549A3 (en) Filtering and policing for defending against denial of service attacks a network
EP2241072B1 (en) Method of detecting anomalies in a communication system using numerical packet features
WO2007103864A3 (en) BEHAVIOR-BASED TRAFFIC DIFFERENTIATION (BTD) FOR DEFENDING AGAINST DISTRIBUTED DENIAL OF SERVICE(DDoS) ATTACKS
CN105791213B (en) Policy optimization device and method
WO2007088424A3 (en) Method and apparatus for monitoring malicious traffic in communication networks
CN101616129A (en) The methods, devices and systems of anti-network attack flow overload protection
EP2570954A4 (en) Method, device and system for preventing distributed denial of service attack in cloud system
WO2006107712A3 (en) Method and apparatus for defending against zero-day worm-based attacks
WO2012024762A8 (en) Method and apparatus for filtering streaming data
WO2005017708A3 (en) Method and apparatus for detecting predefined signatures in packet payload using bloom filters
CN101547187B (en) Network attack protection method for broadband access equipment
EP1484887A3 (en) A multi-layer based method for implementing network firewalls
WO2014070883A3 (en) Method and system for identifying matching packets
CN101640666A (en) Device and method for controlling flow quantity facing to target network
WO2006105093A3 (en) Methods, systems, and computer program products for network firewall policy optimization
EP4246932A3 (en) Method for transmitting data in a multimedia transmission system
CN101465855B (en) Method and system for filtrating synchronous extensive aggression
CN104767752A (en) Distributed network isolating system and method
CN103546465A (en) Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method
WO2003005666A3 (en) An apparatus and method for secure, automated response to distributed denial of service attacks
WO2009037422A8 (en) Queuing method
MX2009011403A (en) Method and apparatus for detecting port scans with fake source address.
WO2011051026A3 (en) Method and system for processing network events
EP2179542A4 (en) Methods, systems, and computer readable media for collecting data from network traffic traversing high speed internet protocol (ip) communication links

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2009539507

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2671451

Country of ref document: CA

Ref document number: 2007864977

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE